CVE DATABASE / CVE-2012-2239
CVE-2012-2239
CVSS 9.1 · CRITICAL
Summary
Mahara 1.4.x before 1.4.4 and 1.5.x before 1.5.3 allows remote attackers to read arbitrary files or create TCP connections via an XML external entity (XXE) injection attack, as demonstrated by reading config.php.
CVSS 3.1 breakdown
| Base score | 9.1 (CRITICAL) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
| Attack vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | NONE |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | HIGH |
| Integrity | HIGH |
| Availability | NONE |
Weakness type (CWE)
Affected products
Mahara maharaDebian debian linux
Check this CVE live
Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.
References
- http://www.debian.org/security/2012/dsa-2591
- https://bugs.launchpad.net/mahara/+bug/1047111
- https://mahara.org/interaction/forum/topic.php?id=4869
Data: NIST NVD. NVD last modified 2026-04-29. Always verify against the vendor advisory before acting.